Preface

19

Structure of This Book

20

Target Audience

20

How to Use This Book

21

Conclusion

21

1 SAP Governance, Risk, and Compliance Overview

25

1.1 SAP GRC Suite Overview and Components

28

1.1.1 Value of the Suite as a Whole

29

1.1.2 Reasons to Implement SAP GRC

30

1.1.3 SAP Access Control

31

1.1.4 SAP Process Control

41

1.1.5 SAP Risk Management

49

1.1.6 SAP Global Trade Services and SAP Nota Fiscal Electronica

54

1.2 Shared Master Data

66

1.3 SAP Content Life Cycle Management

67

1.4 SAP GRC 10.0 Architecture and Landscape

69

1.4.1 Backend System Requirements

69

1.4.2 Two-Tier versus Three-Tier Landscapes

72

1.4.3 Frontend Options

73

1.5 Summary

74

2 Planning SAP GRC Implementations

75

2.1 Regulations and Policies in SAP GRC

76

2.1.1 Japan’s J-SOX

77

2.1.2 Australia’s CLERP-9

78

2.1.3 Canada’s C-11

78

2.1.4 Basel II

78

2.2 Purpose of SAP GRC Tools

79

2.3 Business Processes and Controls

81

2.4 Organizational Hierarchy and Local Controls

82

2.5 User Interface and Work Center

85

2.6 Rules

87

2.7 Reporting

87

2.8 Summary

90

3 SAP Access Control Overview

91

3.1 General Assumptions during Implementation

92

3.1.1 SAP NetWeaver Business Client as SAP Access Control User Interface

94

3.1.2 SAP NetWeaver Business Client Use Case

96

3.2 SAP Access Control—Post-Installation Technical Settings

98

3.2.1 Basis Preliminary Check

99

3.2.2 Activating BC Sets

105

3.2.3 Activate Common Workflow

110

3.2.4 Workflow Verification

117

3.2.5 Troubleshooting for Task-Specific Customization

124

3.2.6 Shared Configuration of SAP GRC Systems

130

3.2.7 SAP Crystal Reports Features

137

3.2.8 Activate Profile of Roles Delivered by SAP

138

3.2.9 Creating the Initial User in the ABAP System

140

3.3 SAP Access Control Configuration

142

3.4 Summary

144

4 Emergency Access Management Overview

147

4.1 Using Emergency Access Management

149

4.2 Emergency Access Management Configuration in SAP GRC

152

4.2.1 Configuration Parameters

152

4.2.2 General Configuration Steps

153

4.2.3 Email Configuration

157

4.3 Using a Firefighter ID

159

4.4 Reporting

161

4.4.1 Consolidated Log Report

162

4.4.2 Reason Code and Activity Report

165

4.4.3 Firefighter Log Summary Report

165

4.4.4 Invalid Emergency Access Report

166

4.4.5 Transaction Logs and Session Detail

166

4.4.6 SOD Conflict Report for Firefighter IDs

166

4.4.7 Reason Code Usage Frequency

167

4.5 Summary

168

5 Access Risk Analysis Overview

169

5.1 Access Risk Analysis Basic Configuration

172

5.1.1 Maintaining SAP Access Control Risk Analysis Configuration Parameters

173

5.1.2 Adding a Connector to the AUTH Scenario

175

5.1.3 Risk Loading and Activation

176

5.1.4 Synchronization Jobs

183

5.1.5 Rule Set Maintenance

184

5.1.6 Maintain Shared Master Data

188

5.1.7 Perform Batch Risk Analysis

190

5.2 Access Risk Analysis Reporting

193

5.3 Risk Remediation Process

196

5.3.1 Role Cleanup Process with Access Risk Analysis

197

5.3.2 Risk Mitigation as Remediation

198

5.4 Alert Monitoring

200

5.5 Risk Terminator

200

5.5.1 Configuration Setup in the SAP GRC System

201

5.5.2 Configuration Setup in the Plug-In System

201

5.6 Access Risk Analysis 10.0: Additional Features

202

5.6.1 Initial Access Risk Assessment

202

5.6.2 Additional Reporting Features

202

5.7 Summary

204

6 Business Role Manager Overview

205

6.1 Business Role Manager Configuration

207

6.1.1 Activation of BC Sets

208

6.1.2 Verifying Default Configuration Parameters

209

6.1.3 Maintain Role Type Settings

212

6.1.4 Specify Naming Conventions

213

6.1.5 Standard Role Methodology

217

6.1.6 MSMP Workflow Configuration

219

6.1.7 Creating Role Owners

222

6.2 Business Role Manager Use: Creating a New Single Role

223

6.2.1 Assigning Authorizations to the New Role

224

6.2.2 Analyzing Access Risks and Remediation

226

6.2.3 Request Approval

227

6.2.4 Role Generation

227

6.2.5 Testing the Role

228

6.3 Role Maintenance and Reporting

229

6.4 Summary

230

7 User Access Management Overview

231

7.1 Different User Roles in User Access Management

234

7.1.1 General Users

234

7.1.2 Requestors

235

7.1.3 Approvers

235

7.1.4 Administrators

236

7.1.5 Auditors

236

7.2 Maintenance of Users

237

7.3 User Access Management Configuration

237

7.3.1 Basic Requirements

238

7.3.2 Activation of Business Configuration (BC) Sets

239

7.3.3 Configuration Parameters

240

7.3.4 Maintain Connector Settings

241

7.3.5 Maintain Data Sources Configuration

245

7.3.6 Define Request Type

247

7.3.7 Maintain Number Range Intervals for Provisioning Requests

248

7.3.8 Define Number Range for Provisioning Requests

249

7.3.9 Maintain End User Personalization

249

7.3.10 Maintain Provisioning Settings

251

7.3.11 Maintain User Defaults

253

7.3.12 Activate End User Logon

253

7.4 Configure the MSMP Workflow

255

7.5 Process Details: Change/Create Access Request

259

7.5.1 Role Availability for Provisioning

261

7.5.2 Access Request Process Steps

262

7.6 Password Self-Service

263

7.6.1 Maintain Password Self-Service

263

7.7 User Access Management Reporting

265

7.8 Summary

268

8 SAP Access Control Advanced Topics

269

8.1 Multistage Multipath (MSMP) Workflow

270

8.1.1 Configure Process and Global Setting

271

8.1.2 Maintain Rules and Rule Results

274

8.1.3 Maintain Agents

278

8.1.4 Variables and Templates

281

8.1.5 Maintain Paths and Assign Stages to Path

282

8.1.6 Maintain Stages

284

8.1.7 Maintain Stage Task Settings

286

8.1.8 Notification Settings

289

8.1.9 Maintain Route Mapping

290

8.1.10 Generate Versions

291

8.2 Debugging MSMP

293

8.3 Business Rule Framework Plus (BRF+)

295

8.3.1 BRF+ Use Case in SAP Access Control

296

8.3.2 Chaining Routing Rules Using a Function Module and BRF+

305

8.3.3 BRF+ Function in Business Role Manager

306

8.4 Workflow Notification Maintenance in MSMP

310

8.4.1 Available Notification Templates

310

8.4.2 Notification Variables

317

8.5 Customizing Workflow Processes: Email Notifications

320

8.5.1 Creation of Custom Document Objects

320

8.5.2 Associate Custom Document Object with Message Class

321

8.6 Select Notification Templates and Recipients

323

8.7 Setting Up Email Reminders

325

8.8 Periodic Reviews

326

8.8.1 Configuration for SoD Review

328

8.8.2 Maintain Reviewers and Coordinators

330

8.8.3 Generate Data for SoD Review

332

8.9 HR Triggers

338

8.10 Summary

340

9 SAP Process Control Overview

341

9.1 The Evolution of SAP Process Control

342

9.2 SAP Process Control Features

342

9.2.1 Date Validity

343

9.2.2 Views

344

9.3 Architecture

344

9.3.1 Installation and Setup

346

9.4 Configuration and Basic Settings

347

9.4.1 General Settings

349

9.4.2 Shared Master Data Settings

356

9.4.3 SAP Process Control Reporting

357

9.4.4 Common Component Settings for SAP Process Control

358

9.5 Implementation Overview of SAP Process Control

360

9.5.1 Setting Business Goals

361

9.5.2 Phased Approaches

361

9.5.3 Master Data Collection

363

9.5.4 Process Control Users and Roles

363

9.6 Overview of SAP Process Control Usage

364

9.6.1 Documenting

365

9.6.2 Scope

365

9.6.3 Evaluation

366

9.6.4 Monitoring and Remediation

366

9.6.5 Reporting

367

9.6.6 Certification

368

9.6.7 Policy Management

369

9.7 Summary

369

10 SAP Process Control Master Data

371

10.1 Organizations

374

10.1.1 Multiple Hierarchies

376

10.1.2 Validity Dates and Time Frames in the Organization Structure

377

10.2 Business Process Models

378

10.3 Regulations

382

10.4 Policies

384

10.5 Accounts and Account Groups

385

10.6 Master Data Content Management and Transport

387

10.6.1 Master Data Upload Generator

388

10.6.2 Content Lifecycle Management

391

10.6.3 CLM versus MDUG

393

10.7 Summary

394

11 Continuous Controls Monitoring

397

11.1 Continuous Monitoring Architecture

398

11.2 Configuring Continuous Control Monitoring

402

11.3 Creating Data Sources

409

11.3.1 Adding Data Source Information

411

11.3.2 Defining the Technical Details

413

11.3.3 Pointing to a Connector

415

11.3.4 Adding Documentation

417

11.4 Creating Business Rules

418

11.4.1 Basic Information

421

11.4.2 Filter Criteria

422

11.4.3 Deficiency Criteria

423

11.4.4 Conditions and Calculations

425

11.4.5 Technical Settings and Monitoring Rule Behavior

426

11.4.6 Ad Hoc Query

426

11.5 Data Source Types and Related Rules

427

11.6 Assigning Rules to Controls

430

11.7 Scheduling Monitoring Rules

431

11.8 Structured Approach to Continuous Controls Monitoring

434

11.8.1 The Nature of ERP Controls

435

11.8.2 The Goal of Monitoring

436

11.8.3 Effective Monitoring

437

11.8.4 The Importance of Proper Configurations and Master Data Settings

438

11.8.5 Transactions

439

11.8.6 Reports and Analytics

440

11.9 Summary

441

12 Continuous Controls Monitoring: Data Source Types

443

12.1 Configurable Data Sources and Rules

444

12.1.1 Configurable Data Sources

445

12.1.2 Configurable Business Rules

449

12.1.3 Limitations of Configurable Data Sources and Rules

450

12.2 Change Log Check Rules

452

12.2.1 Change Tracking: Logs versus Polling

453

12.2.2 Defining Change Log Rules

454

12.3 Other Data Source Types and Rules

459

12.3.1 ABAP Reports

459

12.3.2 Segregation of Duty Integration

460

12.3.3 SAP NetWeaver BW Query

460

12.3.4 Event-Driven Data Sources

461

12.3.5 SAP NetWeaver Process Integration

462

12.3.6 External Partner Data Sources

464

12.3.7 ABAP Program Data Sources

464

12.4 Performance Considerations with Change Logging

465

12.5 Summary

465

13 Continuous Controls Monitoring: Advanced Topics

467

13.1 Operational Data Provider (ODP) Rules

468

13.2 SAP HANA

468

13.3 Using SAP NetWeaver BRF+ to Build Advanced Rules

471

13.3.1 Using BRF+ Rules in SAP Process Control Business Rules

471

13.3.2 Additional Features of BRF+ and SAP Process Control

476

13.4 Advanced Rule Logic: Grouping, Aggregation, and Currency Conversion

477

13.5 Using the BRF+ Workbench

484

13.6 Continuous Control Monitoring: Content Export/Import

496

13.7 Summary

501

14 Continuous Controls Monitoring: Miscellaneous Topics

503

14.1 Efficiently Managing Continuous Controls Monitoring Content

504

14.1.1 Data Sources

504

14.1.2 Business Rules

505

14.1.3 Organization-Level System Parameters (OLSP)

507

14.1.4 OLSP and Business Rule Filter Conditions Combine

511

14.1.5 Runtime Binding of Date Ranges

512

14.1.6 Decoupling Test Schedule from Test Period

513

14.2 CCM Data Security

515

14.2.1 Guiding Principles

516

14.2.2 Analysis

516

14.2.3 The Goal

518

14.2.4 The Solution

519

14.2.5 CCM Data Security Model

521

14.3 Summary

521

15 SAP Risk Management Implementation

523

15.1 Enterprise Risk Management Overview

524

15.2 Enterprise Risk Management Scenario

526

15.2.1 Business Blueprint

529

15.2.2 Solution Configuration

529

15.2.3 Data Conversion and Master Data Setup

532

15.2.4 Authorization Concept and Roles

552

15.2.5 Workflows

556

15.2.6 Reporting

559

15.3 Operational Risk Management Overview

560

15.4 Operational Risk Management Scenario

563

15.4.1 Business Blueprint

565

15.4.2 Solution Configuration

566

15.4.3 Master Data Setup

566

15.4.4 Loss Event Management Workflow and Upload

576

15.4.5 Reporting

579

15.5 Summary

580

16 Trade Compliance and Financial Risk

583

16.1 Global Trade Key Functions

585

16.1.1 SAP Compliance Management

586

16.1.2 SAP Customs Management

589

16.1.3 SAP Risk Management

593

16.2 SAP ERP Setup for Trade Preference Processing

598

16.2.1 Set Up Communication from SAP ERP to SAP GTS

598

16.2.2 Set Up Document Transfer in SAP ERP

600

16.2.3 Maintain BOM Transfer Settings

601

16.2.4 Define a Worklist for Vendor-Based Long-Term Vendor Declarations

602

16.3 SAP Global Trade Services Setup

604

16.3.1 Define Basic Settings in SAP GTS

604

16.3.2 Set Up System Communication in SAP GTS

606

16.3.3 Number Range Configuration within SAP GTS

606

16.3.4 Define and Assign Organizational Parameters

607

16.3.5 Define the Country Group

609

16.3.6 Define and Activate a Legal Regulation

610

16.4 SAP Risk Management General Settings

612

16.4.1 Activate the Document Type and Item Category

612

16.4.2 Define an Organizational Structure

613

16.4.3 Activate the Preference Agreement

614

16.4.4 Define and Assign the Rule Set

616

16.4.5 Set Control Settings for the Data Scope in Vendor Declarations

617

16.5 SAP GTS Benefits

620

16.6 Summary

623

17 Compliance with Environment, Health, and Safety Management

625

17.1 Integration of SAP EHS Management and SAP Global Trade Services

626

17.1.1 SAP EHS Management Configuration

628

17.1.2 SAP Global Trade Services Configuration

636

17.2 Visualization Features with SAP GTS 10

642

17.2.1 Accessing the New User Interface

643

17.2.2 SAP NetWeaver Business Client (NWBC)

644

17.3 Sanctioned Party List Screening Configuration

645

17.4 SAP Global Trade Services Deployment and Reporting

647

17.4.1 Deployment Options

648

17.4.2 Reporting

649

17.5 Summary

656

18 Supply Chain Compliance

657

18.1 Import Filing to Reduce Compliance Costs

658

18.2 Import Processes within SAP ERP

658

18.3 SAP Global Trade Services Declarations

660

18.3.1 Customs Document Review

661

18.4 Customs Import Process Configuration with SAP ERP

668

18.5 SAP Global Trade Services Configuration

673

18.6 Configuration Settings for SAP Customs Management

681

18.7 Summary

694

19 Conclusion

695

19.1 Chapter Review

696

19.2 Business Benefits of the GRC Suite

697

19.3 GRC Suite and their Value

698

19.4 SAP GRC Future Outlook

699